null pointer deref from mount/umount + rm -rf loop

From: Kris Kennaway <kris_at_obsecurity.org>
Date: Fri, 18 Aug 2006 10:00:47 -0400
I ran mount -o ro -t nfs ...; sleep 2; umount -f nfs together with rm
-rf in a loop, and after some time the machine panicked with:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x34
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc052e22a
stack pointer           = 0x28:0xec8d7a74
frame pointer           = 0x28:0xec8d7a94
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 28944 (rm)



db> wh
Tracing pid 28944 tid 100205 td 0xc5469bd0
_mtx_lock_flags(24,0,c07266be,1a3,0) at _mtx_lock_flags+0x24
vfs_ref(0,ec8d7b28,cf05a900,ec8d7ad4,c06f97a8) at vfs_ref+0x32
vop_stdgetwritemount(ec8d7af8,ec8d7b14,c05a9601,c076a780,ec8d7af8) at vop_stdgetwritemount+0x1d
VOP_GETWRITEMOUNT_APV(c076a780,ec8d7af8,f8,3,1) at VOP_GETWRITEMOUNT_APV+0x3a
vn_start_write(cf05a900,ec8d7b28,1,cfd2ea20,ffffffff) at vn_start_write+0x34
vn_close(cf05a900,5,d25e8a00,c5469bd0,c071f37b) at vn_close+0x2f
vn_closefile(c5c27798,c5469bd0,c071e535,85f,cf05a900) at vn_closefile+0x8b
fdrop_locked(c5c27798,c5469bd0,c5469bd0,c5469bd0,c076a780,0,0,cf05a900,c077e840,8201000,c5469bd0,ec8d7c20,246,246,ec8d7c40,c052e311,c077e840,cf05a900,ec8d7c50,c050fcda,3e1,c071e535,0) at fdrop_locked+0x96
closef(c5c27798,c5469bd0,c071e535,3e1,c054ad17) at closef+0x1ed
close(c5469bd0,ec8d7d04,4,0,1) at close+0x185
syscall(bfbf003b,3b,bfbf003b,8250130,804b4d8) at syscall+0x163
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (6, FreeBSD ELF32, close), eip = 0x2815ba4f, esp = 0xbfbfe69c, ebp = 0xbfbfe6b8 ---
db> show lockedvnods
Locked vnodes

0xcd8ae360: tag ufs, type VDIR
    usecount 2, writecount 0, refcount 4 mountedhere 0xd07ea548
    flags ()
    v_object 0xc6d4ac24 ref 0 pages 1
     lock type ufs: EXCL (count 1) by thread 0xcfd2ea20 (pid 28947)
        ino 353827, on dev da0s1e

0xc6769240: tag nfs, type VDIR
    usecount 0, writecount 0, refcount 88 mountedhere 0
    flags (VI_DOOMED)
    v_object 0xcce78b90 ref 0 pages 87
     lock type nfs: EXCL (count 1) by thread 0xcfd2ea20 (pid 28947)

^-- showlockedvnods hung here.

Looks like I forgot to include DEBUG_VFS_LOCKS, I'll try to recreate.

Kris


Received on Fri Aug 18 2006 - 12:00:49 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:59 UTC